Voter-verified paper audit trail: Difference between revisions

Content deleted Content added

Inline

Revision as of 00:27, 19 July 2007

Voter Verified Paper Audit Trail (VVPAT) or Verified Paper Record (VPR) was intended as an independent verification system for voting machines designed to assure voters that their vote was cast correctly, to detect possible election fraud or malfunction, and to provide a means to audit the stored electronic results. It is limited primarily by three factors. 1) Video of voter behavior during an actual election revealed that most voters do not "verify" their choices by reading the VVPAT. 2) A manual VVPAT recount/audit is labor intensive and expensive, and likely unaffordable to most candidates seeking it. 3) And most importantly, while VVPAT was designed to serve as a check on DRE (Direct Recording Electronic) vote recorders, it relied on the same proprietary programming and electronics, an obvious conflict which made VVPAT disingenuous by design.

The VVPAT offers some fundamental differences as a paper, rather than computer memory, recording medium when storing votes. A paper VVPAT is readable by the human eye and voters can directly interpret their vote. Computer memory requires a device and software which potentially is proprietary. Insecure voting machine^[1] records could potentially be changed quickly without detection by the voting machine itself. It would be more difficult for voting machines to corrupt records without human intervention. Corrupt or malfunctioning voting machines might store votes other than as intended by the voter unnoticed. A VVPAT allows voters the possibility to verify that their votes are cast as intended and can serve as an additional barrier to changing or destroying votes.

Overview

The Voter Verified Paper Audit Trail (VVPAT) is a method of providing feedback to voters using a ballotless voting system, including a direct recording electronic voting system (DRE), to assure voters that their votes have been recorded as intended. It is intended, and some argue necessary, as a means by which to detect fraud and equipment malfunction. Depending on election laws the paper audit trail may constitute a legal ballot and therefore provide a means by which a manual vote count can be conducted if a recount is necessary.

In Non-document ballot voting systems -- both mechanical voting machines and DRE voting machines -- the voter does not have an option to review a tangible ballot to confirm the voting system accurately recorded his or her intent. In addition, an election official is unable to manually recount ballots in the event of a dispute. Because of this, critics claim there is an increased chance for electoral fraud or malfunction and security experts, such as Bruce Schneier, have demanded voter-verifiable paper audit trails.^[2] Non-document ballot voting systems allow only a recount of the "stored votes." These "stored votes" might not represent the correct voter intent if the machine has been corrupted or suffered malfunction.

A fundamental hurdle in the implementation of paper audit trails is the performance and authority of the audit. Paper audit systems increase the cost of electronic voting systems, can be difficult to implement, often require specialized external hardware, and can be difficult to use. In the United States 27 states require a paper audit trail by statute or regulation for all direct recording electronic voting machines used in public elections.^[3] Another 18 States don't require them but use them either statewide or in local jurisdictions.^[4]

VVPAT Application

Various technologies can be used to implement a paper audit trail.

Attachment of a printer to direct recording electronic voting machines that print paper records stored within the machine. Such designs usually present the record to the voter behind a transparent surface (known as the "Mercuri method") to enable a voter to confirm a printed record matches the electronic ballot. The records can be manually counted and compared to the electronic vote totals in the event of a dispute.
Attachment of a printer to direct recording electronic voting machines that print an encrypted receipt that is either retained by the voter or stored within the machine. If the receipt is retained, the receipts can be manually counted and compared to the electronic vote totals in the event of a dispute. These systems have not been used in elections in the United States.
Creation of an encrypted audit trail at the same time the electronic ballot is created in an direct recording electronic voting machine, a form of witness system. The audit trail can be accessed and compared to the electronic vote totals in the event of a dispute.

Systems that allow the voter to prove how they voted are never used in U.S. public elections, and are outlawed by most state constitutions. The primary concerns with this solution are voter intimidation and vote selling.

Dr. Rebecca Mercuri, the creator of the VVPAT concept (as described in her Ph.D. dissertation in October 2000 on the basic voter verifiable ballot system), proposes to answer the auditability question by having the voting machine print a paper ballot or other paper facsimile that can be visually verified by the voter before being entered into a secure location. Subsequently, this is sometimes referred to as the "Mercuri method".

Professor Avi Rubin has testified in front of the United States House Committee on House Administration in favor of voting systems that use a paper ballot and disfavoring systems that use retrofitted VVPAT attachments. He has said on his personal blog that "after four years of studying the issue, I now believe that a DRE with a VVPAT is not a reasonable voting system."^[5]

An auditable system, such as that provided with VVPAT, can be used in randomized recounts to detect possible malfunction or fraud. With the VVPAT method, the paper ballot can be treated as the official ballot of record. In this scenario, the ballot is primary and the electronic records are used only for an initial count or, in some cases, if the VVPAT is damaged or otherwise unreadable. In any subsequent recounts or challenges the paper, not the electronic ballot, would be used for tabulation. Whenever a paper record serves as the legal ballot, that system will be subject to the same benefits and concerns of any paper ballot system.

Matt Quinn, the developer of the original Australian DRE system, believes that in the future there should be a, "There's no reason voters should trust a system that doesn't have it, and they shouldn't be asked to. Why on earth should [voters] have to trust me -- someone with a vested interest in the project's success? A voter-verified audit trail is the only way to 'prove' the system's integrity to the vast majority of electors, who after all, own the democracy."^[6]

Challenges and concerns with VVPAT

Security Concerns

The introduction of malicious software into a VVPAT system can cause it to intentionally misrecord the voter's selections. This attack could minimize detection by manipulating only a small percentage of the votes or for only lesser known races.^[7]

Another security concern is that a VVPAT could print while no voter is observing the paper trail, a form of ballot stuffing.^[8] Even if additional votes were discovered through matching to the voters list, it would be impossible to identify legitimate ballots from fraudulent ballots.

Alternately the printer could invalidate the printed record after the voter leaves and print a new fraudulent ballot. These ballots would be undetectable as invalidated ballots are quite common during elections.^[9]Also, VVPAT systems that are technically able to reverse the paper feed could be open to manipulated software overwriting or altering the VVPAT after the voter checks it.

Usability and ergonomic concerns

For the voter the printed record is "in a different format than the ballot, in a different place, is verified at a different time, and has a different graphical layout with different contrast and lighting parameters."^[10] In November 2003 in Wilton, CT, virtually all voters had to be prompted to find and verify their receipt, increasing the time required to vote and the work for the pollworkers. The VVPAT adds to the complexity of voting, already a deterrent to voting.^[10]

In addition, a VVPAT component may not be easily usable by poll-workers, many of whom are already struggling with DRE maintenance and use and new elections law requirements. In the 2006 primary election in Cuyahoga County, Ohio, a study found that 9.6 percent of the VVPAT tapes were either destroyed, blank, illegible, missing, taped together or otherwise compromised. In one case the thermal paper was loaded into the printer backwards leaving a blank tape.^[11]^[12], which was not realized by voters who couldn't verify the paper trail. The Cuyahoga Election Review Panel proposed in its final report to remove the opaque doors covering the VVPAT except the ones equipped with equipment for blind voters.^[13] In general collecting and counting these printed records can be difficult.^[10]

Records printed on continuous rolls of paper is more difficult than counting standard paper ballots or even punch cards.^[10]

Privacy concerns

Current VVPAT systems print the ballot records out in the order in which they were cast. Many jurisdictions also record the order in which voters vote^{[citation needed]}, thus possibly compromising the secrecy of the vote. If there are multiple voting machines it would be more difficult to match between the full voter list and the VVPATs.

Alternately, an attacker could watch the order in which people use a particular voting system and note the order of each particular vote he is interested in. If that attacker later obtains the paper ballot records she could compare the two and compromise the privacy of the ballot. This could also lead to vote selling and voter intimidation.^[14]

Effectiveness concerns

Also problematic is that voters are not required to actually check the paper audit before casting a ballot, which is critical to "verifying" the vote. While the option to look at the paper may provide comfort to an individual voter, the VVPAT does not serve as an appropriate check on malfunction or fraud unless a statistically relevant number of voters participate.

Accessibility concerns

Current VVPAT systems are not usable by some disabled voters. Senator Christopher Dodd (D-CT) testified before the United States Senate Committee on Rules and Administration at a June 2005 hearing on Voter Verification in Federal Elections "The blind cannot verify their choices by means of a piece of paper alone in a manner that is either independent or private. Nor can an individual who has a mobility disability, such as hand limitations, verify a piece of paper alone, if that individual is required to pick up and handle the paper."^[15]

The League of Women Voters (LWV) didn't see a need for VVPATs for a long time. In her testimony to the Election Assistance Commission in 2004 Kay Maxwell, President LWV still expressed concerns for voters with limited English proficiency and low literacy as well: "The VVPT system provides for the voter to verify the paper ballot, which historically disenfranchised voters will find difficult to do if they cannot see or if they have difficulty reading the paper verification. Private and independent voting is important, and, at this juncture, seems inconsistent with the VVPT system for significant numbers of voters."^[16] But in its June 2006 convention the LWV passed a motion to support only voting systems with a VVPAT.^[17]^[18]

Reliability Concerns

VVPAT systems can also introduced increased concern over reliability. Professor Michael Shamos points out that "Adding a paper printing device to a DRE machine naturally adds another component that can fail, run out of ink, jam or run out of paper. If DREs are alleged already to be prone to failure, adding a paper trail cannot improve that record."^[19] In Brazil in 2003, where a small number of precincts had installed paper trails, failure of the printers delayed voters by as much as 12 hours, a figure that would be catastrophic in the U.S.^[20]

Current implementation of VVPAT systems use thermal printers to print their paper ballot records. Ballot records printed on the thermal paper will fade with time. Also, heat applied to the paper before or after the election can destroy the printing.^[10]

Implementation concerns

It can be significantly more difficult to implement a VVPAT as an after-the-fact feature. For jurisdictions currently using direct recording electronic voting machines that lack a VVPAT, implementation can be expensive to add and difficult to implement due to the specialized external hardware required. To add a VVPAT component to a DRE machine, a jurisdiction would be required to purchase the system designed by the vendor of the DRE machine with a no bid, sole source purchase contract. That assumes the vendor has designed a component that is compatible with the DRE machine in use. The vendor may not have developed a VVPAT component that is compatible with the DRE machine in use, thus requiring the jurisdiction to purchase an entirely new voting system.

For jurisdictions not currently using direct recording electronic voting machines, the introduction of a new voting system that includes a VVPAT component would have less implementation challenges.

Some implementations of the VVPAT place a high cognitive burden on the voter and are extraordinarily error prone.^[21]

Legal Questions Around VVPAT

One important question of VVPAT systems is when should an audit be performed? Some have suggested that random audits of direct recording electronic voting machines be performed on Election Day to protect against machine malfunction. However, the partial tallying of votes before the polls have closed could create a problem similar to the occurrence in American national elections where a winner is declared based on East Coast results long before polls have closed on the West Coast. In addition, the partial tallying of votes before the polls have closed may be illegal in some jurisdictions. Others have suggested that random audits of direct recording electronic voting machines be performed after the election or only in the event of a dispute.

In the event an audit is performed after the election and a discrepancy is discovered between the ballot count and the audit count it is unclear which count is the authoritative count. Some jurisdictions have statutorily defined the ballot as the authoritative count leaving the role of an audit in question. Because VVPAT is a recent addition to direct record voting systems the authority question remains unclear.

Examples

Several voter verifiable audit trail systems exist. They include:

References

^ See page 3 of: Ariel J. Feldman, J. Alex Halderman and Edward W. Felten (September 13, 2006). "Security Analysis of the Diebold AccuVote-TS Voting Machine" (PDF). Princeton University Center for Information Technology Policy. {{cite journal}}: Cite journal requires |journal= (help)
^ Schneier, Bruce (November 10, 2004). "The Problem with Electronic Voting Machines". Retrieved December 22, 2006.
^ See: "Voter-Verified Paper Record Legislation". Verified Voting Foundation. December 21, 2006. Retrieved 2006-12-22.
^ Forbes.com: Paper Jams a Problem for Electronic Voting
^ Today's Congressional hearing, March 07, 2007 from Avi Rubin's blog
^ Zetter, Kim (November 3, 2003). "Aussies Do It Right: E-Voting". Wired News. Retrieved 2006-12-22.
^ VVPR Attack with Misprinted VVPAT, David L. Dill October 2, 2003
^ Paper Trail Manipulation I, Professor Michael I. Shamos Oct. 5, 2005
^ Paper Trail Manipulation II, Professor Michael I. Shamos Oct. 5, 2005
^ ^a ^b ^c ^d ^e Security Vulnerabilities and Problems with VVPT, Dr. Ted Selker, Jon Goler April 2004
^ Election Science Institute: DRE Analysis for May 2006 Primary Cuyahoga County, Ohio
^ Fessler, Pam (September 13, 2006). "Problems Found in Ohio Computer Voting". Retrieved 2007-02-04. {{cite news}}: Cite has empty unknown parameter: |coauthors= (help)
^ Cuyahoga Election Review Panel: Final Report July 20, 2006, page 50
^ http://vote.nist.gov/threats/papers/spooledpaper.pdf[Threat to voter privacy with voter verified paper audit trail voting systems using spooled paper rolls], John Wack, NIST
^ Hearing on Voter Verification in Federal Elections, 109th Cong. (2005). (testimony of Senator Christopher Dodd. Retrieved [Feb. 3 2007], from Senate Rules website.
^ Public Hearing on the Use, Security and Reliability of Electronic Voting Systems, Election Assistance Commission. (2004). (testimony of Kay Maxwell, President of the League of Women Voters. Retrieved [Feb. 3 2007], from EAC website.
^ eague of Women Voters, Report of Convention 2006 Action
^ The League of Women Voters Supports Voter-Verifiable Paper Trails (Bruce Schneier, July 05, 2006)
^ Michael Shamos (April 2004). "Paper v. Electronic Voting Records – An Assessment" (PDF). Retrieved Feb. 03 2007. {{cite journal}}: Check date values in: |accessdate= (help); Cite journal requires |journal= (help)
^ Mira, Leslie, "For Brazil Voters, Machines Rule," Wired News, Jan. 24, 2004.
^ Warren, Stewart. VoteTrustUSA. Eminent Computer Scientist Criticizes ES&S "Real Time Audit Log". June 21, 2006.

External links

Research

Independent Verification: Essential Action to Assure Integrity in the Voting Process, Roy G. Saltman, August 22, 2006
Brennan Center Voting Technology Initiative
Secret-Ballot Receipts: True Voter-Verifiable Elections (mirror) by David Chaum

Informational

ProCon.org's Review of paper audit trails

Advocacy and Commentary

[1] See page 3 of: Ariel J. Feldman, J. Alex Halderman and Edward W. Felten (September 13, 2006). "Security Analysis of the Diebold AccuVote-TS Voting Machine" (PDF). Princeton University Center for Information Technology Policy. {{cite journal}}: Cite journal requires |journal= (help)

[2] Schneier, Bruce (November 10, 2004). "The Problem with Electronic Voting Machines". Retrieved December 22, 2006.

[3] See: "Voter-Verified Paper Record Legislation". Verified Voting Foundation. December 21, 2006. Retrieved 2006-12-22.

[4] Forbes.com: Paper Jams a Problem for Electronic Voting

[5] Today's Congressional hearing, March 07, 2007 from Avi Rubin's blog

[6] Zetter, Kim (November 3, 2003). "Aussies Do It Right: E-Voting". Wired News. Retrieved 2006-12-22.

[7] VVPR Attack with Misprinted VVPAT, David L. Dill October 2, 2003

[8] Paper Trail Manipulation I, Professor Michael I. Shamos Oct. 5, 2005

[9] Paper Trail Manipulation II, Professor Michael I. Shamos Oct. 5, 2005

[selker-10] Security Vulnerabilities and Problems with VVPT, Dr. Ted Selker, Jon Goler April 2004

[11] Election Science Institute: DRE Analysis for May 2006 Primary Cuyahoga County, Ohio

[12] Fessler, Pam (September 13, 2006). "Problems Found in Ohio Computer Voting". Retrieved 2007-02-04. {{cite news}}: Cite has empty unknown parameter: |coauthors= (help)

[13] Cuyahoga Election Review Panel: Final Report July 20, 2006, page 50

[14] ttp://vote.nist.gov/threats/papers/spooledpaper.pdf[Threat to voter privacy with voter verified paper audit trail voting systems using spooled paper rolls], John Wack, NIST

[15] Hearing on Voter Verification in Federal Elections, 109th Cong. (2005). (testimony of Senator Christopher Dodd. Retrieved [Feb. 3 2007], from Senate Rules website.

[16] Public Hearing on the Use, Security and Reliability of Electronic Voting Systems, Election Assistance Commission. (2004). (testimony of Kay Maxwell, President of the League of Women Voters. Retrieved [Feb. 3 2007], from EAC website.

[17] ue of Women Voters, Report of Convention 2006 Action

[18] The League of Women Voters Supports Voter-Verifiable Paper Trails (Bruce Schneier, July 05, 2006)

[19] Michael Shamos (April 2004). "Paper v. Electronic Voting Records – An Assessment" (PDF). Retrieved Feb. 03 2007. {{cite journal}}: Check date values in: |accessdate= (help); Cite journal requires |journal= (help)

[20] Mira, Leslie, "For Brazil Voters, Machines Rule," Wired News, Jan. 24, 2004.

[21] Warren, Stewart. VoteTrustUSA. Eminent Computer Scientist Criticizes ES&S "Real Time Audit Log". June 21, 2006.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

[21]

@@ Line 58: / Line 58: @@
 ==Challenges and concerns with VVPAT==
 ===Security Concerns===
-The introduction of malicious software into a VVPAT system can cause it to intentionally misrecord the voter's selections. This attack could minimized detection by manipulating only a small percentage of the votes or for only lesser known races.<ref>[http://vote.nist.gov/threats/papers/misprintedVVPAT.pdf VVPR Attack with Misprinted VVPAT], [[David L. Dill]] October 2, 2003</ref>
+The introduction of malicious software into a VVPAT system can cause it to intentionally misrecord the voter's selections. This attack could minimize detection by manipulating only a small percentage of the votes or for only lesser known races.<ref>[http://vote.nist.gov/threats/papers/misprintedVVPAT.pdf VVPR Attack with Misprinted VVPAT], [[David L. Dill]] October 2, 2003</ref>
 Another security concern is that a VVPAT could print while no voter is observing the paper trail, a form of [[ballot stuffing]].<ref>[http://vote.nist.gov/threats/papers/papertrailhack.pdf Paper Trail Manipulation I], Professor [[Michael I. Shamos]] Oct. 5, 2005</ref> Even if additional votes were discovered through matching to the voters list, it would be impossible to identify legitimate ballots from fraudulent ballots.